Talk to an expert

Why Testing Active Directory Security Controls is as Critical as Testing Backups

In enterprise IT, Active Directory (AD) often sits at the heart of identity and access management. It authenticates users, enforces security policies, and helps coordinate the access control backbone of the modern enterprise. In short, it’s one of the most valuable assets in your environment, and one of the most attractive targets for attackers.

But despite its critical nature, many organizations overlook one crucial element of Active Directory security: testing, not configuring, not monitoring, testing. Too often, security teams deploy security controls and assume they’re working. But just as you wouldn’t trust an untested backup, you shouldn’t trust untested security defenses.

Let’s explore why validating your AD security controls should be a regular, rigorous part of your security operations and how tools like Atomic Red Team and PurpleSharp can help you do it right.

The Active Directory Threat Landscape

Partner with Microsoft experts you can trust

If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation. 

Get in Touch

AD is a gold mine for attackers. If they gain Domain Admin privileges, they own the entire network. AD compromises can lead to data exfiltration, ransomware deployment, and long-term persistence.

Attackers typically don’t need zero days to get in. They rely on well documented tactics and techniques such as:

  • Credential dumping from LSASS or SAM databases
  • Pass-the-Hash and Pass-the-Ticket attacks
  • Exploiting Kerberoasting vulnerabilities
  • Abusing Group Policy Objects (GPOs)
  • Leveraging DCShadow or DCSync attacks
  • Creating persistence through startup scripts, scheduled tasks, or hidden user rights

Once inside, they can move laterally, escalate privileges, and embed themselves deep into your network. This is why AD must be secured, monitored, and critically tested.

The Illusion of Safety

Security teams spend significant resources configuring logs, tuning detection rules, and deploying Security Information and Event Managament (SIEM) and Endpoint Detection and Response (EDR) tools. But here’s the problem: many never test whether those tools work against real-world attack techniques.

They assume logs are being collected correctly, alerts will fire when something suspicious happens, and analysts will respond appropriately.

But when was the last time you validated any of that?

This is the illusion of safety, thinking you’re protected because your tools are deployed. In practice, misconfigurations, telemetry gaps, or outdated rules can leave you blind when an actual attack occurs.

The Backup Analogy

You know the pain if you’ve ever been through a failed disaster recovery because of a corrupt or incomplete backup. That’s why responsible IT teams regularly test their backups by performing recovery drills. The goal isn’t just to have backups, it’s to ensure you can use them when needed.

The same principle should apply to your AD security controls.

You shouldn’t just configure logging and install agents. You should validate:

  • Are attacks being logged?
  • Are alerts being triggered?
  • Are analysts notified?
  • Can the SOC distinguish between noise and real threats?

Security detection is not a checkbox, it’s a system that requires tuning, feedback, and validation.

What Should You Test in AD?

A robust testing strategy covers the full attack lifecycle. Here are some key areas of focus in AD:

  1. Credential Access
    1. Dumping credentials via Local Security Authority Subsystem Service (LSASS) or Security Account Manager (SAM)
    2. Accessing stored credentials (e.g., Data Protection API (DPAPI) abuse)
    3. Mimikatz, LaZagne, and related tools
  2. Privilege Escalation
    1. Modifying admin groups
    2. Exploiting unconstrained delegation
    3. Leveraging SIDHistory or AdminSDHolder
  3. Lateral Movement
    1. Remote access via WMI or PsExec
    2. RDP sessions between servers and workstations
    3. Pass-the-Hash and Pass-the-Ticket
  4. Persistence
    1. Creating startup tasks or logon scripts
    2. Modifying Group Policy for re-entry (e.g., giving an account the ability to edit the Default Domain Policy)
    3. Implanting rogue domain trusts or user rights (e.g., delegating a user or group the ability to modify DACLs on an organizational unit containing administrators or service IDs)
  5. Reconnaissance
    1. LDAP queries for user and group enumeration
    2. Mapping trust relationships
    3. Finding service accounts with SPNs

These techniques are widely used by attackers and are fully testable in a controlled environment.

Meet Your Tools: Red Team & PurpleSharp

Testing security controls doesn’t require writing custom scripts or building an adversary simulation platform. Two community-driven tools, Atomic Red Team and PurpleSharp, make this easier than ever.

Atomic Red Team

Atomic Red Team is an open-source project maintained by Red Canary that provides small, focused tests mapped to specific MITRE ATT&CK techniques. Each “atomic” is a lightweight, self-contained command or script that emulates a particular attacker’s behavior.

Why it’s valuable:

  • Easy to run via command line or test runners (like Invoke-Atomic) 
  • No need to reverse engineer malware, just simulate behaviors
  • Ideal for blue team testing and detection validation

Example:

Want to test if your SIEM detects LSASS access (focus area 1a)? You can run an atomic that mimics credential dumping from memory. If your monitoring system does not generate an alert, you’ve identified a detection gap.

Atomic Red Team is ideal for precise, targeted testing of detection logic.

PurpleSharp

PurpleSharp is a C#-based adversary simulation tool designed to emulate post-exploitation behavior across Windows environments. Unlike traditional red team tools, PurpleSharp does not deliver malware. Instead, it simulates adversary actions by executing native Windows calls that leave forensic artifacts, logs, and telemetry.

Why it’s valuable:

  • It’s malware-free, although it may still trigger EDR and be blocked
  • Runs in production-like environments safely
  • Produces realistic telemetry (great for EDR testing)
  • Scriptable attack chains that emulate real-world adversaries

Example:

Want to simulate lateral movement with WinRM (focus area 3a)? PurpleSharp can emulate that scenario and generate corresponding logs and system events. You can then check if your EDR or SIEM picked it up and responded correctly.

PurpleSharp is ideal for realistic, telemetry-rich simulations in purple teaming engagements where red (offensive) and blue (defensive) teams are working together

Building an AD Security Test Strategy

A successful strategy requires a methodical, repeatable process. Here’s a practical framework:

  1. Map Your Defenses to MITRE ATT&CK
    • Identify which techniques you want to detect.
    • Use the MITRE ATT&CK framework to understand how adversaries operate in AD.
  2. Select Test Scenarios
    • Choose relevant techniques based on risk (e.g., credential dumping, privilege escalation). 
    • Use Atomic Red Team for micro-tests.
    • Use PurpleSharp for scenario-based simulations.
  3. Run the Tests
    • Schedule tests during low-traffic windows or in a controlled lab. 
    • Document the simulation steps and expected outcomes.
  4. Measure Detection & Response
    Ask:
    • Was the activity logged?
    • Was the alert triggered?
    • Did the alert reach the SOC?
    • Was it triaged and escalated appropriately?
  5. Close the Gaps
    • If a detection failed, investigate why. 
    • Was the telemetry missing? Was the rule misconfigured?
    • Update log sources, detection logic, or alerting workflows.
  6. Automate and Repeat
    • Build repeatable playbooks for quarterly or monthly testing. 
    • Track improvement over time.
    • Integrate into purple team exercises or detection engineering sprints.

Red Canary has a great blog on Detection Engineering

Making It Routine: The Security Testing Culture Shift

Security testing is not a one-off project. It should be a recurring part of your organization’s security operations. Just like:

  • QA teams test code before deployment
  • IT teams test backups before disaster recovery drills

Security teams should test their controls before an incident forces the issue.

This requires a cultural shift:

  • Embrace failure as a learning opportunity
  • Break silos between red and blue teams 
  • Build a detection engineering feedback loop

By operationalizing testing, you’ll gain confidence that your defenses can detect and respond, not just in theory, but in practice.

Conclusion: Don't Assume, Verify

If you’ve never assessed your ability to detect credential dumping, GPO abuse, or lateral movement in AD, how can you know your organization is secure?

Security isn’t about hope, it’s about evidence. And the evidence comes from testing.

As you would test backups to ensure recoverability, test your security controls to ensure survivability. Atomic Red Team and PurpleSharp provide the tools; you provide the discipline.

Don’t wait for an actual attacker to validate your defenses. Simulate. Detect. Learn. Improve.

Are you ready to put your Active Directory defenses to the test? Leverage our deep expertise to validate and strengthen your security posture. Reach out to Ravenswood today! Our experts are here to help.

Bonus Tip: Start small. Run one Atomic test a week. Document the result. Build momentum.

Picture of Ted Ellis

Ted Ellis

Ted Ellis brings 30 years of experience in security and systems architecture to RTG, with expertise in policy creation, disaster recovery and business continuity planning. His ability to translate complex concepts for the C-suite, leadership, and all stakeholders helps bridge gaps in understanding and align technology solutions with business goals.
View All Posts

[RELEVANT BLOG CONTENT]

What is Identity Lifecycle Management?

Identity lifecycle management (ILM) governs the creation, maintenance, and deactivation of digital identities across an enterprise. It establishes policies and technical controls that answer three fundamental questions: Who should receive [...]

Understanding Microsoft Entra ID Governance

Microsoft Entra ID Governance is a powerful identity governance solution that helps organizations manage, monitor, and automate user access across hybrid and cloud environments. As part of the broader Microsoft [...]

Microsoft Entra External ID

Modern applications no longer live in a vacuum. They connect consumers, business customers, and partners through web and mobile interfaces, and that means identity becomes a core feature. In the [...]

Understanding Microsoft Intune App Deployment

Microsoft Intune offers various application deployment types—including Microsoft Store apps, line-of-business apps, and Windows (Win32) apps—each with distinct advantages and limitations. Win32 apps often provide the most flexibility via features [...]

Setting Up Microsoft Intune Cloud PKI: Part 2

As I discussed in my previous post on Microsoft Intune Cloud PKI, it’s important to understand how to perform the operational tasks required to keep the PKI functioning in the [...]

Power Up Your Azure Logic Apps with On-Premises PowerShell Connectivity

In today’s digitally transforming landscape, organizations are increasingly adopting cloud services to enhance their reach and security posture. However, a significant amount of critical data and legacy systems still reside [...]